So, you’ve heard the term “Phishing Scam” mentioned by the water cooler, often followed by the tragically untrue blanket phrase “Oh, I’d never fall for that.” But what is it? And why do so many companies fall victim to an attack that requires the user to “fall for” a trick?
Here’s an example of a basic phishing scam. This email was delivered to some of our customers, many of whom in fact do subscribe to Zimbra collaborative email service:
From: Zimbra [firstname.lastname@example.org]
Sent: December 16 5:48 PM
Subject: Zimbra User: 16/12
Your Mailbox Has Exceeded It Quota/Limit As Set By Web Team, And You May Not Be Able To Send Or Receive New Mails Until You Re-Validate Your Mailbox. To Re-Validate, Please CLICK to Re-Validate Your Mailbox.A phishing scam email that was sent to some of our customers.
This email, at first glance, appears legitimate–especially to an individual who uses Zimbra for their email. After all, it says it’s coming from zimbra.com. Unfortunately, this is sometimes all it takes for a user to “fall for it,” clicking the link. In some cases, that’ll install ransomware or some other malware, but in a pure phishing scam, the user will be prompted to “login to Zimbra”, not realizing that they are not actually logging into Zimbra, but instead submitting their username and password to a malicious party looking to compromize Zimbra accounts. It’s called a Phishing Site, and it is designed to look very similar, or sometimes identical to the real login site. This could be Zimbra, or it could be online banking.
Tip: In the example I provided above, there are a number of spelling and grammar mistakes. While it’s fair to say that a poorly worded email such as this is quite likely to be a scam, it is not true to say all scam emails have bad grammar. Don’t be fooled into thinking that a well-written scam email is safe.
How can you protect yourself?
There is software that can help, such as ESET Smart Security for home users or ESET Endpoint Protection Advanced for business. But is that the final solution? No. While helpful in identifying and blocking phishing emails, thereby reducing and often eliminating the threat, no software can replace a user’s personal ability to identify and thwart these phishing attempts.
For you or your staff to really protect yourselves, you need to be cautious, even a little suspect, and you need to know four things:
1 – The sender you see may not be the real sender
Email addresses can be spoofed… meaning a scam can look like it is coming from a legitimate email address–even someone you know–but could be falsified. Because email spoofing is extremely easy to achieve for even a novice attacker, it is also very common.
2 – Knowing how to identify real links helps you identify fake ones
The login form for the Zimbra service hosted by Positive E Solutions Inc. is located at https://zimbra.positiveesolutions.ca.
Knowing the true web site address of your subscribed services is a powerful weapon against phishing scams. Your bank has a specific login URL. Learn it. If the link differs, you can more easily spot a fake.
If you hover (don’t click) your mouse over a phishing scam email’s link, you’ll notice that the web site address differs from the actual URL. Watch this trick scammers often use: hover over this URL but don’t click on it: www.rbcroyalbank.com. Notice the little popup? It’s not actually Royal Bank!
Tip: Smart attackers will include a combination of both real and fake links within a scam email. This is to give the user a false sense of legitimacy upon checking one or two links. Be sure to inspect all links for this tactic. If nine links are legitimate and one is suspect, discard the email.
Taking it one step further, phishing scams will often create similar looking domains: g00gle.com or piaypal.com might trick you if you don’t look closely. It is always safest, when in doubt, to not click a link in an email, but instead, type the known safe URL directly into your browser, or login as you normally do. By logging into your real Zimbra account for example, you would see that you indeed have not exceeded your quota, and therefore can discredit the email as a phishing scam.
3 – Links in and of themselves should trigger your suspicions
We, and other legitimate companies, make an effort to never send emails which provide links that require you to login to an account. If in doubt, again, refer to my previous point: login via your normal means, don’t follow a link in an email.
4 – Phishing scams could appear to come from any service
You may receive phishing emails that appear to be from your financial institution, social media account providers (Facebook, Twitter, etc.) or any other web site. Some are easy to spot. Others can look exactly like a legitimate email from that provider. Using the above techniques, you will outsmart the phishers and keep your accounts safe.
Have you fallen for a phishing scam?
Change your password immediately. Strong passwords are a must. Don’t make it something easy to guess. Never use the same password on more than one service. If you do, change the password on all of those as well.
For some great tips on how to create strong passwords that are very difficult for a malicious party to compromize, tune into to The EndpointSecurity.ca Podcast Episode 1, where my guest Tony Anscombe shares his method of choosing strong yet memorable passwords.
Need to protect your business?
Research shows us that approximately 10% of Canadians click the links in a phishing scam email. Let’s reduce the risk for your staff by removing phishing scams before they ever touch their inbox.
ESET Endpoint Protection Advanced provides anti-phishing and anti-spam, combined with other protections for your network.
I originally wrote this post on December 17, 2014. It has been edited and re-posted in 2019 with more current information.
Robbie Ferguson is the host of the Endpoint Security Podcast at Positive E Solutions Inc. His day-to-day includes providing security-related advice and training to companies and individuals across Canada, and offering solutions to protect against modern threats in the workplace.